enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #09361
[Bug 2027716] Re: samba dc ntlm netlogin issue with windows 10/11 2023-07 cumulative update
** Description changed:
[ Impact ]
Windows update KB5028166[1] broke the secure channel in trust
relationships between windows workstations and samba domain controllers.
This manifests itself in widespread domain users authentication
problems, most notably remote desktop access.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD
DC controller. Windows should be fully up-do-date. In particular,
KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very
specific check that requires just one command on the windows powershell
interface, and a more elaborate one that contains a user story involving
remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above
command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output
will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see
its log messates, and they will show up in the terminal it was launched
from.
- click connect, select the RDP protocol, and type in the IP of the
windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and
the terminal where vinagre was launched from will print this error
message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO
received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from
server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection
will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the change is
- wrong or breaks something else: how would this show up?
+ The patches went through some iterations, but have stabilized now and
+ are committed to samba upstream. There is more work to be done
+ (https://bugzilla.samba.org/show_bug.cgi?id=15425), but the more urgent
+ fix is what is presented here and in the latest samba upstream releases.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ Problems that can happen here are, in no particular order:
+ - break domain trust entirely
+ - Microsoft publishes another patch in reaction to this which changes behavior once again
+ - more follow-up fixes are necessary
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
+ Given the urgency of this fix, I published a PPA and this bug report has
+ comments stating that real life deployments were fixed by this update.
[Original Description]
This bug is just a reminder/link to upstream bug
https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a
samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared
folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as
critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts
releases
** Bug watch added: Debian Bug tracker #1041043
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041043
** Changed in: samba (Debian)
Remote watch: Samba Bugzilla #15418 => Debian Bug tracker #1041043
** Also affects: samba via
https://bugzilla.samba.org/show_bug.cgi?id=15418
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2027716
Title:
samba dc ntlm netlogin issue with windows 10/11 2023-07 cumulative
update
To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/2027716/+subscriptions
References
